The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) recently announced the first ever settlement related to a Covered Entity’s untimely breach notification in violation of HIPAA. Presence Health, a health care network in Illinois, discovered a breach of unsecured personal health information (PHI) on October 22, 2013. After reporting the breach to OCR over three months later on January 31, 2014, OCR determined that Presence Health failed to notify OCR, each of the affected individuals, and prominent media outlets of the breach without unreasonable delay and within 60 days of learning of the breach, as required of Covered Entities under HIPAA. The violation resulted in a $475,000 settlement between OCR and Presence Health.

HHS Office for Civil Rights will cast a wider net and increase its investigations into smaller HIPAA privacy breaches starting this month. OCR announced a new initiative to increase its efforts examining breaches that affect fewer than 500 individuals. OCR Regional Offices already investigate every reported breach affecting 500 or more individuals, and will continue to do so, but now they will intensify efforts to scrutinize smaller breaches.

Investigations into the root cause of even a small breach can discover system- and enterprise-wide noncompliance and security and privacy shortcomings. An investigation into a single stolen laptop that held PHI of 80 individuals may uncover an entity’s failure to encrypt any of the data it stores and uses. And just as easily as a larger breach, a small breach can reveal that a covered entity has not completed a full risk assessment of its organization and its PHI protections. Continue Reading OCR to Increase Investigations of Smaller HIPAA Breaches

In its latest e-mail, OCR confirms that notification letters were delivered on Monday, July 11, 2016, to 167 health plans, health care providers and health care clearinghouses notifying them of their inclusion in the desk audit portion of the audit program. The desk audits will examine the selected entities’ compliance with HIPAA’s Privacy, Security, and Breach Notification Rules by examining certain documentation that the entities are required to maintain under HIPAA. OCR provides the following table setting forth the subject matter of the documentation review:

Notably, the three areas covered under the Privacy Rule relate to how patients are made aware of their rights under HIPAA and how they can access their own medical records. The desk audit does not focus on policies related to uses and disclosure of PHI. This emphasis dovetails with OCR recent efforts to educate patients and providers about patient access rights (which we previously covered here).

Entities have 10 business days, until July 22, 2016, to respond to the document requests.

OCR separately notes that desk audits of business associates will be occurring this fall. We will continue to follow developments in the Phase II audit program and bring you updates and analysis as they occurs.

On Monday, the Office for Civil Rights (OCR) released important new guidance on ransomware for hospitals and other healthcare providers and finally addressed the question of whether electronic protected health information (ePHI) that has been encrypted on a covered entity’s systems, but potentially not accessed by the hacker, has been breached for HIPAA purposes. Back in March, OCR highlighted the threat of ransomware in its “OCR Cyber-Awareness Monthly Update.” Rather than just describing the threat, yesterday’s guidance ties the prevention of, detection of, and response to a ransomware attack to a Covered Entity’s obligations under HIPAA. A key component of the guidance provides a ransomware attack that encrypts a Covered Entity’s ePHI is presumed to be a breach. As ransomware can infect a Covered Entity’s entire system, this presumption may lead to enormous breach notification obligations. Continue Reading “Your Money or Your PHI”: OCR Releases Guidance on Ransomware

On March 21st, the HHS Office for Civil Rights (“OCR”) officially launched Phase 2 of the HIPAA Audit Program. Covered Entities and Business Associates need to be prepared for these audits and be on the lookout for emails from OCR that will begin the audit process.

Why Audits? Why Now?

The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) requires OCR to periodically audit both Covered Entities and Business Associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. OCR conducted Phase 1 audits in 2011 and 2012. The Phase 1 audits only examined Covered Entities and the results were generally disappointing. Only 11% of the entities audited had no findings or observations and many findings related to Security Rule compliance. After many delays, OCR is now proceeding with Phase 2.
What’s Happening This Time Around?

OCR will conduct both desk audit and on-site audits of Covered Entities and Business Associates. The first round of desk audits will be for Covered Entities with a second round for Business Associates. Desk audits are supposed to be completed by December 2016. Entities selected for audits will be notified via email and will have 10 business days to submit requested information to OCR through an online portal. Auditors will share draft audit reports with audited entities, allowing them 10 business days to review the draft report. A final report will be shared with the entity.

Covered entities and business associates having difficulty distinguishing the old “harm standard” and the new Omnibus Rule analysis should understand that the latter clearly imposes a rebuttable presumption that a breach of protected health information will require notification to affected individuals and the government, except under narrow circumstances. As the article concludes, “striking a balance between an inquiry that meets the risk assessment’s requirements but that minimizes the over-reporting of breaches will be a challenge that covered entities and business associates will need to address” for years to come.

Our firm consistently monitors the HHS Office of Civil Rights’ enforcement and monitoring activities and writes posts noting trends in the area of HIPAA compliance, so keep checking the blog for current health care privacy and security news.

Since 2009, the HHS Office for Civil Rights (“OCR”) has posted all large data breaches – those that involve 500 or more individuals – online on its so-called “Wall of Shame.” In 2013, 160 large data breaches were reported to OCR and posted on the Wall of Shame. Taken together, these breaches involved the unsecured protected health information (“PHI”) of nearly 6.85 million individuals.

The following top five breaches of 2013 accounted for over 88% of all individuals affected by large data breaches in that year:

Of these five breaches, one breach involved the PHI of over four million individuals; the other four breaches each affected over 150,000 individuals. Three out of these five breaches resulted from the theft of equipment or electronic files with unencrypted PHI. The two remaining breaches were due to errors by business associates: one that failed to destroy microfiches containing PHI that ultimately ended up in several local parks; and one that made a computer programming error and transmitted records to an unintended party. Interestingly, the first incident involved the PHI of patients seen by the facility between 1980 and 1990, demonstrating that older PHI is no safer from improper disclosure than newly generated PHI.

These incidents from 2013 should alert covered entities, business associates, vendors and other agents handling PHI to the following lessons:

Encrypt, encrypt, and encrypt again – in one of the breaches, the hospital system had focused on encrypting their laptops, but had not yet completed encrypting the desktops that contained PHI;

Monitor where PHI is going– if (or when) PHI gets inadvertently transmitted to the wrong party, knowing where it went will help the breaching party to perform an adequate risk assessment under 45 C.F.R. 164.402(2); and

Follow up (and follow through) on the destruction of PHI – having policies on how to properly protect or destroy older PHI records and following up with entities entrusted with completing those tasks will lessen the risk that these records will cause a future breach down the road.

The HIPAA Omnibus Rule goes into effect today, which officially starts the clock for covered entities, business associates, and their subcontractors to begin updating their agreements, forms, policies, procedures, and practices to meet approaching compliance deadlines.

Business Associate Agreement (BAA) and Data Use Agreement (DUA) compliance deadlines depend on whether there is a current agreement in place that meets regulatory requirements. New BAAs and DUAs must comply with Omnibus Rule requirements by September 23, 2013; otherwise, BAAs and DUAs that only became non-compliant after the Office for Civil Rights (OCR) released the Omnibus Rule may remain in effect until September 22, 2014 (or until the applicable agreement renewal date). All parties must still comply with the Breach Notification interim final rule requirements under the HITECH Act during the 180-day transition period between March 26th and September 23rd of this year.

In the meantime, covered entities and business associates should be at least planning, if not undertaking, the following tasks:

Associate Editors

Mintz Levin’s Health Law Practice

As the health care and life sciences industries continue to undergo sweeping regulatory change, your company might be facing unprecedented structural and operational challenges. Heightened government scrutiny of industry practices certainly adds to the complexity of operating in the market for all providers, payors, manufacturers, distributors, and suppliers.Read More